Closed Bug 1169979 Opened 9 years ago Closed 9 years ago

crash in mozilla::dom::workers::XMLHttpRequest::Open(nsACString_internal const&, nsAString_internal const&, bool, mozilla::dom::Optional<nsAString_internal> const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&)

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1169867

Tracking Flags:

Tracking

Status

firefox41

---

affected

People

(Reporter: alice0775, Unassigned)

References

Details

(4 keywords)

Crash Data

Alice0775 White

Reporter

Description

•

9 years ago

This bug was filed from the Socorro interface and is 
report bp-119076da-e55c-4606-8414-64ff52150531.
=============================================================

Crash while navigates Google Maps

Boris Zbarsky [:bzbarsky]

Comment 1

•

9 years ago

[Tracking Requested - why for this release]: Regression causing crashes.

This is a regression from bug 1166924.

In particular, this bit in XMLHttpRequest::Open:

   if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
     ReleaseProxy();
     mProxy->mOpening = false;

will cause a null-deref crash if reached, since ReleaseProxy sets mProxy to null, right?

Blocks: CVE-2015-2722

tracking-firefox41: --- → ?

Flags: needinfo?(amarchesini)

Keywords: regression

Boris Zbarsky [:bzbarsky]

Comment 2

•

9 years ago

[Tracking Requested - why for this release]: Looks like bug 1166924 got backported to various branches....

tracking-firefox39: --- → ?

tracking-firefox40: --- → ?

tracking-firefox-esr38: --- → ?

Boris Zbarsky [:bzbarsky]

Updated

•

9 years ago

tracking-firefox-esr31: --- → ?

Andrea Marchesini [:baku]

Updated

•

9 years ago

Group: core-security

Flags: needinfo?(amarchesini)

Andrea Marchesini [:baku]

Comment 3

•

9 years ago

You are right. I already fixed this bug in another bug.

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → DUPLICATE

Boris Zbarsky [:bzbarsky]

Updated

•

9 years ago

tracking-firefox39: ? → ---

tracking-firefox40: ? → ---

tracking-firefox41: ? → ---

tracking-firefox-esr31: ? → ---

tracking-firefox-esr38: ? → ---

Robert Kaiser

Updated

•

9 years ago

Crash Signature: [@ mozilla::dom::workers::XMLHttpRequest::Open(nsACString_internal const&, nsAString_internal const&, bool, mozilla::dom::Optional<nsAString_internal> const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&)] → [@ mozilla::dom::workers::XMLHttpRequest::Open(nsACString_internal const&, nsAString_internal const&, bool, mozilla::dom::Optional<nsAString_internal> const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&)] [@ mozilla::dom::wor…

BMO Automation

Updated

•

9 years ago

Group: core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Group: core-security-release

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Keywords: csectype-uaf, sec-critical

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

crash in mozilla::dom::workers::XMLHttpRequest::Open(nsACString_internal const&, nsAString_internal const&, bool, mozilla::dom::Optional<nsAString_internal> const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&)

Categories

(Core :: General, defect)

Tracking

()

People

(Reporter: alice0775, Unassigned)

References

Details

(4 keywords)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Updated

Comment 3

Updated

Updated

Updated

Updated

Updated